Which SIEM platforms have a CVE-2026-25108 detection rule?

df00tech provides CVE-2026-25108 (Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108) (CVE-2026-25108)?

Detecting Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108) requires the following data sources: CommonSecurityLog, W3CIISLog, SecurityAlert, AzureActivity.

What severity and confidence is the CVE-2026-25108 detection?

The CVE-2026-25108 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-25108?

Common false positives for CVE-2026-25108 include: Legitimate administrative scripts that pass shell-like syntax in URL parameters for non-malicious purposes; Vulnerability scanners or penetration testing tools running authorized assessments against the appliance; URL-encoded special characters in file names uploaded through the FileZen interface that decode to metacharacters.

CVE-2026-25108

Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108)

Initial Access Execution Privilege Escalation Impact Last updated: June 19, 2026

Detects exploitation of CVE-2026-25108, an OS command injection vulnerability (CWE-78) in Soliton Systems K.K FileZen file-sharing appliance. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows unauthenticated or authenticated attackers to inject arbitrary OS commands through vulnerable input fields, potentially leading to full system compromise.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2026-25108↗ NVD

Affected Software

Vendor: Soliton Systems K.K
Product: FileZen

Weakness (CWE)

CWE-78

Timeline

Disclosed: February 24, 2026

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2026-25108 Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108)?

Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108) (CVE-2026-25108) maps to the Initial Access and Execution and Privilege Escalation and Impact tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, SecurityAlert, AzureActivity. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access Execution Privilege Escalation Impact

Microsoft Sentinel / Defender

kusto

let FileZenIPs = dynamic([]);
let SuspiciousCommands = dynamic(['wget','curl','bash','sh','nc','ncat','python','perl','ruby','chmod','chown','id','whoami','uname','cat /etc/passwd','base64']);
union
(
  CommonSecurityLog
  | where TimeGenerated > ago(7d)
  | where DeviceProduct has_any ("FileZen", "filezen")
  | where RequestURL has_any ('upload','download','admin','config','login')
  | where RequestURL matches regex @"[;&|`$(){}\[\]]"
  | extend SuspiciousChars = extract(@"([;&|`$(){}\[\]]{1,})", 1, RequestURL)
  | project TimeGenerated, SourceIP, DestinationIP, RequestURL, SuspiciousChars, DeviceVendor, DeviceProduct, Activity
),
(
  AzureActivity
  | where TimeGenerated > ago(7d)
  | where ResourceProviderValue == "MICROSOFT.SECURITY"
  | where Properties has_any ("FileZen", "CVE-2026-25108")
  | project TimeGenerated, Caller, OperationName, ResourceGroup, Properties
),
(
  SecurityAlert
  | where TimeGenerated > ago(7d)
  | where AlertName has_any ("command injection", "FileZen", "CVE-2026-25108")
  | project TimeGenerated, AlertName, AlertSeverity, Entities, ExtendedProperties
),
(
  W3CIISLog
  | where TimeGenerated > ago(7d)
  | where csUriStem has_any ("/cgi-bin/", "/admin/", "/upload", "/download")
  | where csUriQuery matches regex @"[;&|`$(){}\[\]]"
  | where csUserAgent !in ("GoogleBot", "BingBot")
  | extend InjectionAttempt = extract(@"([;&|`]{1,}[^&\s]{3,})", 1, csUriQuery)
  | where isnotempty(InjectionAttempt)
  | project TimeGenerated, cIP, csHost, csUriStem, csUriQuery, InjectionAttempt, scStatus
)
| extend Severity = "Critical"
| extend CVE = "CVE-2026-25108"
| extend Tactic = "Initial Access / Execution"
| order by TimeGenerated desc

Detects potential OS command injection attempts against Soliton FileZen appliances by monitoring for shell metacharacters in HTTP request URLs and query strings, as well as SIEM alerts referencing the CVE. Also correlates IIS/web server logs for injection patterns in CGI and admin endpoints.

critical severity medium confidence

Data Sources

CommonSecurityLog W3CIISLog SecurityAlert AzureActivity

Required Tables

CommonSecurityLog W3CIISLog SecurityAlert AzureActivity

False Positives

Legitimate administrative scripts that pass shell-like syntax in URL parameters for non-malicious purposes
Vulnerability scanners or penetration testing tools running authorized assessments against the appliance
URL-encoded special characters in file names uploaded through the FileZen interface that decode to metacharacters
Security monitoring agents that generate alerts with CVE references during routine scanning

Splunk

spl

index=* sourcetype IN ("access_combined", "access_combined_wcookie", "cisco:asa", "pan:traffic", "syslog", "wineventlog")
(
  (
    (uri="*/cgi-bin/*" OR uri="*/admin/*" OR uri="*/upload*" OR uri="*/download*" OR uri="*/login*")
    AND (uri="*%3B*" OR uri="*%7C*" OR uri="*%60*" OR uri="*;*" OR uri="*|*" OR uri="*`*" OR uri="*$(*)" OR uri="*&&*")
  )
  OR
  (
    host IN ("filezen", "FileZen", "soliton")
    AND (uri="*wget*" OR uri="*curl*" OR uri="*bash*" OR uri="*nc *" OR uri="*chmod*" OR uri="*python*")
  )
  OR
  (
    message="*CVE-2026-25108*" OR message="*FileZen*command*injection*"
  )
)
| eval injection_chars=if(match(uri, "[;&|`$(){}\[\]]"), "true", "false")
| eval suspicious_cmd=case(
    match(uri, "wget|curl|bash|sh |/bin/|python|perl|ruby"), "shell_download_or_exec",
    match(uri, "nc |ncat|socat"), "reverse_shell_tool",
    match(uri, "id;|whoami|/etc/passwd|/etc/shadow"), "recon_command",
    true(), "other"
  )
| eval cve="CVE-2026-25108"
| eval severity="critical"
| table _time, src_ip, dest_ip, host, uri, status, injection_chars, suspicious_cmd, cve, severity
| sort -_time

Detects OS command injection attempts against Soliton FileZen via web access logs by identifying shell metacharacters and known command strings in HTTP request URIs targeting common FileZen administrative and file-handling endpoints.

critical severity medium confidence

Data Sources

Web proxy logs Apache/Nginx access logs IIS logs Network firewall logs

Required Sourcetypes

access_combined access_combined_wcookie cisco:asa pan:traffic syslog

False Positives

Authorized penetration testing or vulnerability assessments that submit injection payloads for validation purposes
Legitimate file uploads with special characters in filenames that appear in access logs as encoded metacharacters
Internal monitoring tools that probe administrative endpoints using scripted requests resembling injection attempts
URL encoding of legitimate query parameters that decode to shell-like syntax in log analysis

Sumo Logic CSE

sql

_sourceCategory=*web* OR _sourceCategory=*access* OR _sourceCategory=*proxy*
| parse "* * * [*] \"* * *\" * *" as src_ip, ident, authuser, datetime, method, uri, protocol, status, bytes nodrop
| where uri matches "*/cgi-bin/*" or uri matches "*/admin/*" or uri matches "*/upload*" or uri matches "*/download*" or uri matches "*/login*"
| where (
    uri matches "*;*" or uri matches "*|*" or uri matches "*`*"
    or uri matches "*$(*)" or uri matches "*%3B*" or uri matches "*%7C*" or uri matches "*%60*"
    or uri matches "*wget*" or uri matches "*curl*" or uri matches "*bash*"
    or uri matches "*python*" or uri matches "*perl*" or uri matches "*nc *"
    or uri matches "*/etc/passwd*" or uri matches "*/bin/sh*" or uri matches "*/bin/bash*"
  )
| fields _messagetime, src_ip, method, uri, status, bytes
| eval injection_type = if(uri matches "*wget*|*curl*|*python*|*perl*", "download_or_exec",
                        if(uri matches "*nc *|*ncat*|*socat*", "reverse_shell",
                        if(uri matches "*/etc/passwd*|*/etc/shadow*|*whoami*|*id;*", "recon", "generic_injection")))
| eval cve = "CVE-2026-25108"
| eval severity = "critical"
| count by src_ip, injection_type
| sort by _count desc

Sumo Logic query parsing web access logs to identify HTTP requests to FileZen administrative and file-handling paths that contain OS command injection metacharacters or known exploit tool references, with injection type classification for analyst triage.

critical severity medium confidence

Data Sources

Web server access logs Reverse proxy logs Load balancer logs

Required Tables

_sourceCategory=*web* _sourceCategory=*access* _sourceCategory=*proxy*

False Positives

Automated file processing workflows that construct URLs with encoded special characters for legitimate file operations
Penetration testing engagements that inject payloads into FileZen endpoints as part of authorized scope
Log parsing errors that misidentify encoded characters in normal file path parameters as injection attempts
Security product integrations that append metadata to request URLs using characters that match injection signatures

Google Chronicle / SecOps

yaral

rule cve_2026_25108_filezen_os_command_injection {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects exploitation of CVE-2026-25108 OS command injection in Soliton FileZen"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://jvn.jp/en/jp/JVN84622767/"
    cve = "CVE-2026-25108"
    mitre_attack_tactic = "TA0001, TA0002"
    mitre_attack_technique = "T1190"

  events:
    (
      $req.metadata.event_type = "NETWORK_HTTP"
      and (
        re.regex($req.network.http.target_url, `(?i)(/cgi-bin/|/admin/|/upload|/download|/login)`)
        and (
          re.regex($req.network.http.target_url, `[;&|` + "`" + `$(){}\[\]]`)
          or re.regex($req.network.http.target_url, `(?i)(wget|curl|bash|python|perl|nc\s|/bin/sh|/etc/passwd|chmod)`)
        )
      )
    )
    or
    (
      $proc.metadata.event_type = "PROCESS_LAUNCH"
      and $proc.target.process.command_line != ""
      and re.regex($proc.target.process.command_line, `(?i)(wget|curl|nc\s|ncat|python|perl|bash\s+-[ci]|/dev/tcp|/dev/udp)`)
      and $proc.principal.process.file.full_path = "/var/www/*"
    )

  match:
    $req.principal.ip over 1h

  outcome:
    $risk_score = max(95)
    $src_ip = array_distinct($req.principal.ip)
    $target_url = array_distinct($req.network.http.target_url)
    $http_method = array_distinct($req.network.http.method)
    $response_code = array_distinct($req.network.http.response_code)

  condition:
    $req or $proc
}

Chronicle YARA-L 2.0 rule detecting both the inbound HTTP injection attempt to FileZen endpoints and subsequent process execution patterns consistent with post-exploitation, with 1-hour aggregation window per source IP.

critical severity high confidence

Data Sources

Chronicle UDM Google Cloud HTTP load balancer logs Endpoint telemetry via Chronicle sensor

Required Tables

udm_events

False Positives

Web crawlers or security scanners that probe CGI endpoints with encoded payloads during authorized testing
Legitimate web shell management tools used by administrators that spawn child processes from web server paths
Application update scripts initiated by the FileZen appliance from its own web server process tree
Monitoring agents that use curl or wget to probe internal health check endpoints from the FileZen host

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (NetworkReceiveAcceptIP4, NetworkReceiveAcceptIP6, ProcessRollup2, SyntheticProcessRollup2)
| case {
    #event_simpleName IN (NetworkReceiveAcceptIP4, NetworkReceiveAcceptIP6):
      RemotePort IN (80, 443, 8080, 8443)
      | ImageFileName MATCHES "(?i)(httpd|nginx|php-fpm|filezen|cgi)"
      ;
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2):
      ParentBaseFileName IN ("httpd", "nginx", "php-fpm", "lighttpd", "apache2", "www")
      AND CommandLine MATCHES "(?i)(wget|curl|bash|sh|nc|ncat|python|python3|perl|ruby|/bin/sh|/bin/bash|chmod|chown|id |whoami)"
      ;
}
| CommandLine MATCHES "(?i)(wget|curl|bash|nc |ncat|python|perl|/etc/passwd|/bin/sh|/dev/tcp|socat|base64)"
  OR CommandLine MATCHES "[;&|`$(){}\[\]]"
| groupby([ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, RemoteAddressIP4], function=[count(aid), min(timestamp), max(timestamp)])
| eval CVE="CVE-2026-25108"
| eval Severity="Critical"
| eval Tactic="Initial Access + Execution"
| sort(timestamp, order=desc, limit=500)

CrowdStrike Falcon LogScale CQL detecting FileZen OS command injection by correlating network accept events on web ports from FileZen-related processes with subsequent child process spawning from web server parent processes executing shell commands consistent with post-exploitation activity.

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint sensor CrowdStrike Falcon Network containment telemetry

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=NetworkReceiveAcceptIP4 #event_simpleName=SyntheticProcessRollup2

False Positives

FileZen appliance running legitimate maintenance scripts that spawn shell processes from web server parent processes
Authorized server-side scripting within FileZen that uses curl or wget to interact with external update services
Security agent child processes spawned under the web server process tree during host-based scans
Legitimate administrative CLI operations initiated through the FileZen web management interface that execute underlying shell commands

Sigma rule & cross-platform mapping

The detection logic for Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108) (CVE-2026-25108) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-25108 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-25108

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1FileZen-style CGI Command Injection via HTTP GET parameter
Expected signal: Web server access log records GET request to /cgi-bin/upload.cgi with semicolon character in query string. Process audit log shows web server process (httpd/nginx) spawning /bin/sh or /bin/bash as child process executing 'id' command.
Test 2Post-Exploitation Reverse Shell Download via Injected wget
Expected signal: Web server access log shows POST to /admin/config.cgi with pipe and wget in POST body. Network telemetry shows outbound TCP connection from web server host to ATTACKER_HOST:8080. File creation event for /tmp/payload.sh. Process execution of wget and chmod as children of web server process.
Test 3Credential and Configuration Exfiltration via Piped cat Command
Expected signal: Web server log records GET request to /download endpoint with URL-encoded pipe and cat command sequence. Network telemetry shows outbound POST connection from FileZen host to ATTACKER_HOST:9090. Process audit captures cat /etc/passwd executed as child of web server process, followed by curl data exfiltration subprocess.
Test 4Webshell Implantation via Command Injection for Persistent Access
Expected signal: Web server access log records POST to CGI endpoint with semicolon and echo command in body. File creation event for /var/www/html/status.php with PHP content. Process tree shows web server spawning sh executing echo redirection. Subsequent access to /var/www/html/status.php with cmd parameter would indicate webshell usage.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-25108 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0002Execution TA0004Privilege Escalation TA0040Impact

Related Techniques

T1190Exploit Public-Facing Application T1059.004Unix Shell T1105Ingress Tool Transfer T1136Create Account

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-25108 Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-25108

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox